Description
In the Linux kernel, the following vulnerability has been resolved:

xprtrdma: Decrement re_receiving on the early exit paths

In the event that rpcrdma_post_recvs() fails to create a work request
(due to memory allocation failure, say) or otherwise exits early, we
should decrement ep->re_receiving before returning. Otherwise we will
hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and
the completion will never be triggered.

On a system with high memory pressure, this can appear as the following
hung task:

INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.
Tainted: G S E 6.19.0 #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000
Workqueue: xprtiod xprt_autoclose [sunrpc]
Call Trace:
<TASK>
__schedule+0x48b/0x18b0
? ib_post_send_mad+0x247/0xae0 [ib_core]
schedule+0x27/0xf0
schedule_timeout+0x104/0x110
__wait_for_common+0x98/0x180
? __pfx_schedule_timeout+0x10/0x10
wait_for_completion+0x24/0x40
rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]
xprt_rdma_close+0x12/0x40 [rpcrdma]
xprt_autoclose+0x5f/0x120 [sunrpc]
process_one_work+0x191/0x3e0
worker_thread+0x2e3/0x420
? __pfx_worker_thread+0x10/0x10
kthread+0x10d/0x230
? __pfx_kthread+0x10/0x10
ret_from_fork+0x273/0x2b0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

At the core of this kernel flaw is a failure to decrement the re_receiving counter in the xprtrdma subsystem when rpcrdma_post_recvs exits prematurely or cannot allocate a work request. Because the counter never reaches zero, rpcrdma_xprt_drain blocks indefinitely, causing a kernel worker task to hang and the system to be unable to process RDMA RPC traffic. The weakness can be classified as CWE‑772 (Missing Release of Resource) due to the unreleased counter resource. The direct consequence is a local denial of service manifested as hung kernel tasks and degraded system responsiveness.

Affected Systems

This defect exists wherever the legacy xprtrdma RPC transport is compiled into the Linux kernel, from kernel 6.18 and earlier up to 7.0‑rc3 as indicated by the known CPE ranges. It is present in all releases that have not applied the kernel patches referenced in the CVE advisory. No specific version numbers beyond the range are provided; any kernel build that includes the xprtrdma stack is potentially affected.

Risk and Exploitability

The vulnerability is scored CVSS 7.5, EPSS <1%, and is not listed in the CISA KEV catalog. It cannot be exploited remotely; the attack vector is local, requiring a process that can trigger a high‑memory or allocation failure so that rpcrdma_post_recvs exits early. Based on the description, it is inferred that a privileged user or a kernel‑module attacker could induce the failure. The low EPSS indicates that exploitation is unlikely, and the impact is confined to the local system where the kernel runs.

Generated by OpenCVE AI on May 21, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that incorporates the xprtrdma patch committed in the referenced kernel patches.
  • If immediate patching is impractical, reduce memory pressure or limit the number of concurrent RDMA RPCs to prevent allocation failures.
  • Monitor kernel logs for repeated hung task messages and, if sunrpc or rpcrdma services are not required, consider disabling them temporarily to prevent the defect from affecting system availability.

Generated by OpenCVE AI on May 21, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered. On a system with high memory pressure, this can appear as the following hung task: INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. Tainted: G S E 6.19.0 #3 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 Workqueue: xprtiod xprt_autoclose [sunrpc] Call Trace: <TASK> __schedule+0x48b/0x18b0 ? ib_post_send_mad+0x247/0xae0 [ib_core] schedule+0x27/0xf0 schedule_timeout+0x104/0x110 __wait_for_common+0x98/0x180 ? __pfx_schedule_timeout+0x10/0x10 wait_for_completion+0x24/0x40 rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] xprt_rdma_close+0x12/0x40 [rpcrdma] xprt_autoclose+0x5f/0x120 [sunrpc] process_one_work+0x191/0x3e0 worker_thread+0x2e3/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x273/0x2b0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30
Title xprtrdma: Decrement re_receiving on the early exit paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:25:12.698Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43469

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:59.957

Modified: 2026-05-21T14:58:32.127

Link: CVE-2026-43469

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43469 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T17:00:14Z

Weaknesses